A call about: cybersecurity
Aram Segaar, Corporate Information Security Officer in the Information Management Department, works every day with his team to create and maintain a secure working environment at Leiden University. October is ‘Cybersecurity Month’. Aram explains how the university stays safe and the conscious (and unconscious) role you can play in this effort.
Cybersecurity: what is Leiden University doing about this?
'The digital hack of Maastricht University at the end of 2019 was a rather late wake-up call for us. We had to get to work on making Leiden University safer. We’ve updated systems with outdated software, and colleagues at the ISSC are working daily to monitor ‘suspicious behaviour’. We’re also setting up a Security Office. This will be a department with staff who are fully dedicated to identifying security risks, drawing up policies, and helping to mitigate the risks identified.
So it’s all about information security, which I feel is a better description than cybersecurity. After all, this is about more than just digital security. Do you always lock your computer when you walk away? Do you put away papers with confidential information when you help your colleague on the other side of the room or when you receive visitors at home? Physical security is at least as important as digital security. We’ll also be paying more attention to this in the near future, for example by holding awareness training sessions and passing on this knowledge through the ‘train the trainer’ principle.'
Staff are now required to use Multi-Factor Authentication (MFA) every day. Why?
'MFA has been added to our daily routine because it makes our work and private environments more secure. It’s an extra check by the university to verify that the person who wants to access certain information is really you. MFA makes it more difficult for criminals to use your login details. Some colleagues find it annoying to use MFA every day, but we can’t avoid it. From a technical and policy viewpoint, we do everything we can to make it easier for everyone all the time. You can make things easier for yourself by, for example, setting up your fingerprint for MFA. It’s fast, effective and safe!
We have to accept that this is now part of our daily work. Just as you close and lock your front door when you leave home, you have to use MFA to access university information. Your username and password can be stolen, but requiring an extra action via your own phone makes it a lot harder for criminals to use this stolen data. One in eight companies in the Netherlands will experience a security hack this year. If you can prevent the university from becoming one of those eight by simply using MFA, why wouldn’t you do it?'
70% of security incidents are caused by an organisation’s own staff. How can we reduce this percentage?
'You can reduce the risk of an incident both online and offline. For example, when you receive an email, ask yourself whether you see what you expect. Did you expect to have to agree to a payment request or not? Also pay attention to spelling mistakes, the sender, and the other content of the email.
On the offline side, I always advise colleagues to lock their screens (Windows key + L) to keep valuable information safe, and to flag suspicious behaviour in the office. Have you come across someone you don’t know or someone who’s behaving strangely? As humans, it’s in our nature to welcome people in, but ask them who they are if you don’t know them. Don’t be afraid to speak to someone because criminals thrive on that kind of fear.'
Finally, do you have any insider tips about information security?
'As humans, we first encountered dangers on land, then in water, air and space. Now we face the fifth domain: the cyber domain. It is today’s Wild West, a domain in which supervision, laws and regulations are limited. Cybercrime has an extremely low chance of detection, requires minimal effort and knowledge, and can lead to enormous returns. That’s why it’s so lucrative for criminals and has great strategic value for governments.
Give cybersecurity measures like MFA the benefit of the doubt. Get used to it and make it your own. And immerse yourself in security by following E-learning modules. If everyone knows how to work safely, we can all make the university a streamlined, secure organisation. That is great for you and for the outside world. Collaborations are established more quickly between organisations that have their security in order, and the university obviously places great value on this.'
There is a lot happening within Leiden University. The websites are filled with news on a daily basis. In the section 'A call about' we ask one of our employees to tell us more about a relevant and topical subject within the university. The answers give you more insight into the facts, but above all give you more personal background information. What was fun or frustrating? What was remarkable? What was good and what was bad? You can read all about it in 'A call about'.